[Freeipa-devel] service record conundrum

[Rob Crittenden]

Here is sort of a tricky problem, need some advice (LONG).

When we bootstrap an IPA server we create a number of principals for the 
server itself. We create a host/, HTTP/ and ldap/ principal using 
kadmin.local. By using kadmin.local this entry is put into 
cn=kerberos,dc=example,dc=com.

This has the nice side effect of making these records not appear as 
service entries so they are unmodifiable by anyone, meaning an admin 
will have a really hard time hosing their server.

The downside is that these records do not appear as service entries, so 
if you search for services on the IPA server you'll get nothing.

Even worse it means you can't request certificates for these services, 
because they don't exist. Not that one really should since we also 
generate certificates for these at bootstrap, but we don't store them 
anywhere because there isn't any place to put them. This also means that 
we can't track expiration of these.

To make things even more fun we have the DS uniqueness plugin configured 
so there can be no duplication in principal names. Since this is in the 
RDN of service records we can't even create a bit of a bogus entry to 
still protect the principals and yet be able to store certificates.

Remember too that these records are creating during installation, 
effectively bootstrapping the real services (httpd, dirsrv), so we have 
limited options for how to generate them to begin with.

One idea I had is to continue to use kadmin.local to create the 
principals and then move them out of cn=kerberos into cn=services, 
adding whatever additional data we need. This way we would maintain the 
principalkeys. Then we'd need to insert the certificates we generate.

Unfortunately 389-DS doesn't seem to support newsuperior so I guess we'd 
have to move it ourselves via delete and re-add.

So I'm basically stuck right now.

rob